Service IAM Roles in Production Accounts

In this article

    Veeam Backup for AWS launches worker instances in production accounts to perform the following operations:

    By default,  Veeam Backup for AWS selects the most appropriate network settings of AWS Regions in production accounts to launch worker instances used to perform EFS indexing operations, and the default network settings of AWS Regions to launch worker instances used to perform EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. When creating new worker configurations, Veeam Backup for AWS uses Worker Configuration IAM roles only to list network settings available in AWS Regions of production AWS accounts. To learn how to add worker configurations, see Adding Configurations for Production Accounts.

    Worker Configuration IAM Role Permissions

    If you add specific worker configurations that will be used to launch worker instances in production accounts, consider that IAM roles specified in the worker configuration settings must be granted the following permissions:

    {

       "Version": "2012-10-17",

       "Statement": [

           {

               "Action": [

                   "ec2:DescribeAvailabilityZones",

                   "ec2:DescribeVpcs",

                   "ec2:DescribeRegions",

                   "ec2:DescribeAccountAttributes",

                   "ec2:DescribeSubnets",

                   "ec2:DescribeSecurityGroups"

               ],

                         "Resource": "*",

                         "Effect": "Allow"

             }

       ]

    }